[Skiboot] [PATCH v2 3/9] secureboot: initialize secure variables if supported by the platform
Eric Richter
erichte at linux.vnet.ibm.com
Sat Jun 29 00:06:53 AEST 2019
On 6/25/19 5:02 PM, Eric Richter wrote:
> Platforms determine whether or not they support secure boot by implementing
> a specific hook. After firmware secureboot has been initialized, if the
> platform hook has been implemented, we increase the secureboot version to
> "ibm,secureboot-v3" indicating secure variables are supported. The secure
> variables are then initialized.
>
> Signed-off-by: Eric Richter <erichte at linux.ibm.com>
> ---
> libstb/secureboot.c | 23 +++++++++++++++++++++++
> 1 file changed, 23 insertions(+)
>
> diff --git a/libstb/secureboot.c b/libstb/secureboot.c
> index 1578f52e..d8ed61b8 100644
> --- a/libstb/secureboot.c
> +++ b/libstb/secureboot.c
> @@ -75,6 +75,24 @@ bool secureboot_is_compatible(struct dt_node *node, int *version, const char **c
> return false;
> }
>
> +static int update_secureboot_compatible(void)
> +{
> + struct dt_node *sb_node;
> + struct dt_property *sb_compat;
> +
> + sb_node = dt_find_by_path(dt_root, "/ibm,secureboot/");
> + if (!sb_node)
> + return 1;
> +
> + sb_compat = (struct dt_property*) dt_find_property(sb_node, "compatible");
> + if (!sb_compat)
> + return 2;
> +
> + strcpy(sb_compat->prop, "ibm,secureboot-v3");
> +
> + return 0;
> +}
> +
> void secureboot_init(void)
> {
> struct dt_node *node;
> @@ -170,6 +188,11 @@ void secureboot_init(void)
> if (cvc_init())
> secureboot_enforce();
>
> + if (platform.secvar_init) {
> + if (update_secureboot_compatible())
> + secureboot_enforce();
> + platform.secvar_init();
> + }
Turns out this is a terrible place to update the compatible property,
as trustedboot_init() still expects "ibm,secureboot-v2".
I have a patch in the works that will be sent with a V3 of the series that
instead probes for secure variable support prior to any secure boot related
initialization and increments the compatible version. Secure and trusted
boot init functions will also be updated to handle -v3.
> secure_init = true;
> }
>
More information about the Skiboot
mailing list